Odaily Planet Daily News: According to the Slow Mist security team monitoring, on July 2, a victim reported that they used an open-source project hosted on GitHub - zldp2002/solana-pumpfun-bot - the day before, and then their crypto assets were stolen. After analysis by Slow Mist, it was found that in this attack incident, the attacker disguised as a legitimate open-source project (solana-pumpfun-bot) to lure users into downloading and running malicious code. Under the guise of boosting the project's popularity, users ran a Node.js project carrying malicious dependencies without any precautions, leading to the leakage of wallet private keys and asset theft. The entire attack chain involved multiple GitHub accounts working in coordination, expanding the scope of dissemination and enhancing credibility, making it highly deceptive. At the same time, such attacks combine social engineering and technical means, making it difficult to fully defend against even within organizations. Slow Mist advises developers and users to be highly vigilant about unknown GitHub projects, especially when involving wallet or private key operations. If debugging is truly necessary, it is recommended to run and debug in an isolated environment without sensitive data.